Release date: June 14, 2011
Last updated: July 11, 2011
Vulnerability identifier: APSB11-15
CVE number: CVE-2011-2092, CVE-2011-2093
Platform: All Platforms
Two important security vulnerabilities have been identified in LiveCycle Data Services and BlazeDS. These vulnerabilities affect LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX. These vulnerabilities also affect BlazeDS 4.0.0 and earlier versions. Adobe recommends users update their product installations using the instructions provided in the "Solution" section below.
Adobe recommends users update their LiveCycle Data Services, LiveCycle, and/or BlazeDS installations by applying the relevant update(s) using the instructions below:
LiveCycle Data Services
Flex Data Services 2.0.1
Prerequisite: Requires that Flex Data Services 2.0.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :
- Download the patch zip file for FDS 2.0.1, and extract the contents to your local file system.
- Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the Flex Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
- Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.
LiveCycle Data Services 2.5
Prerequisite: Requires that LiveCycle Data Services 2.5 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :
- Download the patch zip file for LCDS 2.5, and extract the contents to your local file system.
- Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
- Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.
LiveCycle Data Services 2.5.1
Prerequisite: Requires that LiveCycle Data Services 2.5.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :
- Download the patch zip file for LCDS 2.5.1, and extract the contents to your local file system.
- Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
- Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.
LiveCycle Data Services 2.6
Prerequisite: Requires that LiveCycle Data Services 2.6 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :
- Download the patch zip file for LCDS 2.6, and extract the contents to your local file system.
- Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
- Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.
LiveCycle Data Services 2.6.1
Prerequisite: Requires that LiveCycle Data Services 2.6.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :
- Download the patch zip file for LCDS 2.6.1, and extract the contents to your local file system.
- Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
- Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.
LiveCycle Data Services 3
Prerequisite: Requires that LiveCycle Data Services 3 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :
- Download the patch zip file for LCDS 3, and extract the contents to your local file system.
- Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
- It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.
LiveCycle Data Services 3.1
Prerequisite: Requires that LiveCycle Data Services 3.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :
- Download the patch zip file for LCDS 3.1, and extract the contents to your local file system.
- Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
- It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.
LiveCycle 9.0.0.2, 8.2.1.3 and 8.0.1.3
Download the appropriate Quick Fix for your version and respective platform/operating system of LiveCycle. Then review the Readme and follow the directions contained within to install:LiveCycle 9.0.0.2:
Readme: QF2.111_9002
Download
Operating System
Filename
MD5
File Size
JBoss
Windows
c770edba242e430a22eee8965f16792f
346M
WebLogic
Windows
f949c1b11af785331ff79d07d5e36597
346M
WebSphere
Windows
86a9b3952c1b31e118d84a70b5c85e20
405M
JBoss Unix 7bde6fea7d69b14c6921db6e1698647c 346M WebLogic Unix 885ddb78ab49ba2851353b1acad833b0 346M WebSphere Unix 6e583aaf23bff784898bb1d1f9271676 405M
LiveCycle 8.2.1.3:
Readme: QF3.134_8213
Operating System
Filename
MD5
File Size
Windows
38821142e06f9550ddfacef957ce4137
238M
Linux
bc9e9d5719e2d2d261043fa3a9a585e8
213M
Sun OS
d71331deb3522ed663a670280b2d514d
213M
AIX 4b01a13e220d8493fda3c8d1500188f0 213MLiveCycle 8.0.1.3:
Readme: QF3.24_801
Operating System
Filename
MD5
File Size
Windows
4f36c6ebdb59b3d67cf4df55c0c38bdc
274M
Linux
e6bb84903879929aa5a6eab5fab2dc81
249M
Sun OS
40b1dda0d6bca92b3b807cacb20ae0b0
249M
AIX 678ead1d58cc3f1e57d0aed44919e4a3
BlazeDS 4.0.0
Prerequisite: Requires that BlazeDS 4.0.0 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :
- Download the patch zip file for BlazeDS 4.0.1, and extract the contents to your local file system.
- Copy the files flex-messaging-common.jar and flex-messaging-core.jar to the /WEB-INF/lib/ directory of the BlazeDS Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
- It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server side-changes.
Note: For earlier versions of BlazeDS, it is strongly recommended that you upgrade to the latest release build of BlazeDS 4 (v4.0.0 as of June 22, 2011) and then apply the security patch by following the installation instructions above.
Adobe categorizes these as important updates and recommends that users apply the latest update for their product installations by following the instructions in the "Solution" section above.
Two important security vulnerabilities have been identified in LiveCycle Data Services and BlazeDS. These vulnerabilities affect LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX. These vulnerabilities also affect BlazeDS 4.0.0 and earlier versions. Adobe recommends users update their product installations using the instructions provided in the "Solution" section above.
These updates resolve an unrestricted class creation during AMF/AMFX deserialization vulnerability that poses a security risk (CVE-2011-2092).
These updates resolve a complex object graph vulnerability that could lead to a denial of service (CVE-2011-2093).
Adobe would like to thank Wouter Coekaerts (CVE-2011-2092, CVE-2011-2093) for reporting the relevant issues and for working with Adobe to help protect our customers.
July 11, 2011 - Updated instructions to note additional instructions in readme files
June 22, 2011 - Updated the version information for updating earlier versions of BlazeDS